Example multicast destination NAT (DNAT) configuration
The example topology shown and described below shows how to configure destination NAT (DNAT) for two multicast streams. Both of these streams originate from the same source IP address, which is 10.166.0.11. The example configuration keeps the streams separate by creating 2 multicast NAT policies. In this example the FortiGate units have the following roles:
- FGT-1 is the RP for dirty networks, 220.127.116.11/8.
- FGT-2 performs all firewall and DNAT translations.
- FGT-3 is the RP for the clean networks, 18.104.22.168/16.
- FGT-1 and FGT-3 are functioning as PM enabled routers and could be replaced can be any PIM enabled router. This example only describes the configuration of FGT-2. FGT-2 performs NAT so that the receivers connected to FGT-3 receive the following translated multicast streams.
- If the multicast source sends multicast packets with a source and destination IP of 10.166.0.11 and 22.214.171.124; FGT-3 translates the source and destination IPs to 192.168.20.1 and 126.96.36.199
- If the multicast source sends multicast packets with a source and destination IP of 10.166.0.11 and 188.8.131.52; FGT-3 translates the source and destination IPs to 192.168.20.10 and 184.108.40.206
Example multicast DNAT topology
To configure FGT-2 for DNAT multicast
1. Add a loopback interface. In the example, the loopback interface is named loopback.
config system interface edit loopback
set vdom root
set ip 192.168.20.1 255.255.255.0 set type loopback
2. Add PIM and add a unicast routing protocol to the loopback interface as if it was a normal routed interface. Also add static joins to the loopback interface for any groups to be translated.
config router multicast config interface
set pim-mode sparse-mode config join-group
edit 220.127.116.11 next
edit 18.104.22.168 next
3. In this example, to add firewall multicast policies, different source IP addresses are required so you must first add an IP pool:
config firewall ippool edit Multicast_source
set endip 192.168.20.20 set interface port6
set startip 192.168.20.10 next
4. Add the translation security policies.
Policy 2, which is the source NAT policy, uses the actual IP address of port6. Policy 1, the DNAT policy, uses an address from the IP pool. The source and destination addresses will need to be previously created address objects. For this example, 22.214.171.124 255.255.255.255 will be represented by “example-addr_1” and 10.166.0.11
255.255.255.255 will be represented by “example-addr_2”. You will likely want to use something more intuitive from your own network.
config firewall multicast-policy edit 1
set dnat 126.96.36.199
set dstaddr example-addr_1 set dstintf loopback
set nat 192.168.20.10
set srcaddr example-addr_2 set srcintf port6
next edit 2
set dnat 188.8.131.52
set dstaddr 184.108.40.206 255.255.255.255 set dstintf loopback
set nat 192.168.20.1
set srcaddr 10.166.0.11 255.255.255.255 set srcintf port6
5. Add a firewall multicast policy to forward the stream from the loopback interface to the physical outbound interface.
This example is an any/any policy that makes sure traffic accepted by the other multicast policies can exit the
config firewall multicast-policy edit 3
set dstintf port7
set srcintf loopback next
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos